Gerrit 2.5 includes the bug fixes done with
Gerrit 2.4.1 and
Gerrit 2.4.2. These bug fixes are not
listed in these release notes.

Schema Change

WARNING: This release contains schema changes. To upgrade:

java -jar gerrit.war init -d site_path

WARNING: Upgrading to 2.5.x requires the server be first upgraded to 2.1.7 (or
a later 2.1.x version), and then to 2.5.x. If you are upgrading from 2.2.x.x or
newer, you may ignore this warning and upgrade directly to 2.5.x.

Warning on upgrade to schema version 68

The migration to schema version 68, may result in a warning, which can
be ignored when running init in the interactive mode.

This migration is creating an index for the
submodule feature in
Gerrit. When the submodule feature was introduced the index was only
created when a new site was initialized, but not when Gerrit was
upgraded. This migration tries to create the index, but it will only
succeed if the index does not exist yet. If the index exists already,
the creation of the index will fail. There was no database independent
way to detect this case and this is why this migration leaves it to the
user to decide if a failure should be ignored or not. If from the error
message you can see that the migration failed because the index exists
already (as in the example above), you can safely ignore this warning.

Upgrade Warnings

Replication

Gerrit 2.5 no longer includes replication support out of the box.
Servers that reply upon replication.config to copy Git repository
data to other locations must also install the replication plugin.

Cache Configuration

Disk caches are now backed by individual H2 databases, rather than
Ehcache’s own private format. Administrators are encouraged to clear
the '$site_path'/cache directory before starting the new server.

The cache.NAME.diskLimit configuration variable is now expressed in
bytes of disk used. This is a change from previous versions of Gerrit,
which expressed the limit as the number of entries rather than bytes.
Bytes of disk is a more accurate way to size what is held. Admins that
set this variable must update their configurations, as the old values
are too small. For example a setting of diskLimit = 65535 will only
store 64 KiB worth of data on disk and can no longer hold 65,000 patch
sets. It is recommended to delete the diskLimit variable (if set) and
rely on the built-in default of 128m.

The cache.diff.memoryLimit and cache.diff_intraline.memoryLimit
configuration variables are now expressed in bytes of memory used,
rather than number of entries in the cache. This is a change from
previous versions of Gerrit and gives administrators more control over
how memory is partitioned within a server. Admins that set this variable
must update their configurations, as the old values are too small.
For example a setting of memoryLimit = 1024 now means only 1 KiB of
data (which may not even hold 1 patch set), not 1024 patch sets. It
is recommended to set these to 10m for 10 MiB of memory, and
increase as necessary.

The cache.NAME.maxAge variable now means the maximum amount of time
that can elapse between reads of the source data into the cache, no
matter how often it is being accessed. In prior versions it meant how
long an item could be held without being requested by a client before
it was discarded. The new meaning of elapsed time before consulting
the source data is more useful, as it enables a strict bound on how
stale the cached data can be. This is especially useful for slave
servers account and permission data, or the ldap_groups cache, where
updates are often made to the source without telling Gerrit to reload
the cache.

New Features

Plugins

The Gerrit server functionality can be extended by installing plugins.
Depending on how tightly the extension code is coupled with the Gerrit
server code, there is a distinction between
plugins and
extensions.

Site administrators can alias SSH commands from a plugin into the
gerrit namespace.

The aliases are configured statically at server startup, but are
resolved dynamically at invocation time to the currently loaded
version of the plugin. If the plugin is not loaded, or does not
define the command, "not found" is returned to the user.

If a plugin has no modules declared in the manifest, automatically
generate the modules for the plugin based on the class files that
appear in the plugin and the @Export annotations that appear on
these concrete classes.

The static/ and Documentation/ resource directories of a plugin can be
served over HTTP for any loaded and running plugin, even if it has no
other HTTP handlers. This permits a plugin to supply icons or other
graphics for the web UI, or documentation content to help users learn
how to use the plugin.

When a plugin is stopped, schedule a Plugin Cleaner task to run
1 minute later to try and clean out the garbage and release the
JAR from $site_path/tmp.

Export LifecycleListener as extension point

Extensions may need to know when they are starting or stopping.
Export the interface that they can use to learn this information.

Support injection of ServerInformation into extensions and plugins

Plugins can take this value by injection and learn the current
server state during their own LifecycleListener. This enables a
plugin to determine if it is loading as part of server startup, or
because it was dynamically installed or reloaded by an administrator.

In addition the /query API has been deprecated. By default it is
still available but server administrators may disable it by setting
the site.enableDeprecatedQuery parameter in the Gerrit config file. This
allows to enforce tools to move to the new API.

Web

Change Screen

Display commit message in a box

The commit message on the change screen is now placed in a box with a
title and emphasis on the commit summary. The star icon and the
permalink are displayed in the box header. The header from the change
screen is removed as it only held duplicate information.

Open the dependency section automatically when the change is needed
by an open change

Only show a change as needed by if its current patch set depends on
the change

Show only changes of the same project in the Depends On section

If two projects share the same history it can happen that the same
commit is pushed for both projects, resulting in two changes. If now
a successor commit is pushed for one of the projects, the resulting
successor change was wrongly listing both changes in the Depends On
section. Now only the predecessor change of the own project is listed.

So far the approval table that shows the reviewers and their current
votes was only shown on the ChangeScreen. Now it is also shown on the
PublishCommentScreen. This allows the reviewer to see all existing
votes and reviewers when doing their own voting and publishing of
comments. Seeing the existing votes helps the reviewer in
understanding which votes are still required before the change can be
submitted.

If the parent commit has a very long subject (> 80 characters) shorten
the subject for displaying it in the Gerrit web UI on the change screen.
This avoids that the Parent(s) cell for the patch set becomes very
wide.

If subject is shortened for displaying in the UI indicate this by …

If a commit has a very long subject line (> 80 characters) it is
shortened when it is displayed in the Gerrit Web UI. Indicate to the
user that the subject was shortened by appending … to the shortened
subject.

Also the subject is now cropped after a whitespace if possible.

Insert Change-Id for revert commits

The Revert Change action on a merged change allows to create a new
change that reverts the merged change. The commit message of the revert
commit now contains a Change-Id.

It is convenient if a Change-Id is automatically created and inserted
into the commit message of the revert commit since it makes rebasing of
the revert commit easier.

Use more gentle shade of red to highlight outdated dependencies

Patch Screens

New patch screen header

A new patch screen header was added that is displayed above both the
side-by-side and unified views. The new header contains actual links to
the available patchsets and shows which patchset is being currently
displayed.

User Dashboard

the user is reviewer of the change but hasn’t published any change
message for the current patch set

the user has published a change message for the current patch set,
but afterwards the change owner has published a change message on
the change

Sort outgoing reviews in the user dashboard by created date

Sort incoming reviews in the user dashboard by updated date

Sorting the incoming reviews by last updated date, descending, places
the most recently updated reviews at the top of the list for a user,
and the oldest stale at the bottom. This may help users to identify
items to take immediate action on, as they appear closer to the top.

Access Rights Screen

Display error if modifying access rights for a ref is forbidden

If a user is owner of at least one ref he is able to edit the access
rights on a project. If he adds access rights for other refs, these
access rights were silently ignored on save. Instead of this now an
error message is displayed to inform the user that he doesn’t have
permissions to do the update for these refs.

In case of such an error the project access screen stays in the edit
mode so that the unsaved modifications are not lost. The user may now
propose the changes to the access rights through code review.

Allow to propose changes to access rights through code review

Users that are able to upload changes for code review for the
refs/meta/config branch can now propose changes to the project access
rights through code review directly from the ProjectAccessScreen.

When editing the project access rights there is a new button
Save for Review which will create a new change for the access
rights modifications. Project owners are automatically added as
reviewer to this change. If a project owner agrees to the access rights
modifications he can simply approve and submit the change.

Show all access rights in WebUI if user can read refs/meta/config

Users who can read the refs/meta/config branch, can see all access
rights by fetching this branch and looking at the project.config
file. Now they can see the same information in the web UI.

Allow extra group suggestions for project owners

When suggesting groups to a user, only groups that are visible to the
user are suggested. These are those group that the user is member of.
For project owners now also groups to which they are not a member are
suggested when editing the access rights of the project.

Other

Accessing a change URL was failing with Application Error - The page
you requested was not found, or you do not have permission to view this
page if the user was not signed in and the change was not visible to
Anonymous Users. Instead Gerrit now asks the user to login and
afterwards shows the change to the user if it exists and is visible.
If the change doesn’t exist or is not visible, the user will still get
the NotFoundScreen after sign in.

Link to owner query from user names

Instead of linking from a user name to the user’s dashboards, link to
a search for changes owned by that user.

Let site administrators direct users to their own ticket queue, as for
many servers most of the reported bugs are small internal problems like
asking for a repository to be created or updating group memberships.

On project creation allow choosing the parent project from a popup

In the create project UI a user can now browse all projects and select
one as parent for the new project.

Check for open changes on branch deletion

Check for open changes when deleting a branch in the Gerrit WebUI.
Delete a branch only if there are no open changes for this branch.
This makes users aware of open changes when deleting a branch.

Enable ProjectBranchesScreen for the All-Projects project

This allows to see the branches of the All-Projects project in the
web UI.

Show for each project in the project list a link to the repository
browser (e.g. GitWeb).

Move the project listing menu items to a new top-level item

Finding the project listing was very opaque to end users. Nobody
expected to look under Admin and furthermore, anonymous users were
unable to find that link at all.

Introduced a new top-level Projects menu that has List in it to
take you to the project listing.

In addition the Create new project link from the top of that listing
was moved to this new menu.

Move the Groups and Plugins menu items to the top level

The top-level Admin menu is removed as it is now unnecessary after the
Projects, Groups and Plugins menu items were moved to the top-level.

Move form for group creation to own screen

Move the form for the group creation from the GroupListScreen to an
own new CreateGroupScreen and add a link to this screen at the
beginning of the GroupListScreen. The link to the CreateGroupScreen is
only visible if the user has the permission to create new groups.

Since the LDAP group type was removed there
is no need to display the group type on the group list screen anymore.
There are only 3 SYSTEM groups using well known names, and everything
else has the type INTERNAL.

When adding a user to a group create an account for the user if needed

Trying to add a user to a group that doesn’t have an account fails with
… is not a registered user.. Now adding a user to a group does not
immediately fail if there is no account for the user, but it tries to
authenticate the user and if the authentication is successful a user
account is automatically created, so that the user can be added to the
group. This only works if LDAP is used as user backend.

This allows to add users to groups that did not log in into Gerrit
before.

Differentiate between draft changes and draft comments

Show the draft changes of the user when he clicks on My > Drafts.
The user’s draft comments are now available under My >
Draft Comments.

Show NotFoundScreen if a user that can’t create projects tries to
access the ProjectCreationScreen

Add Edit, Reload next to non-editable Full Name field

If the user database is actually an external system users might need go
to another server to edit their account data, and then re-import their
account data by going through a login cycle. This is highly similar to
LDAP where the directory provides account data and its refreshed every
time the user visits the /login/ URL handler.

The URL for the external system can be configured for the
CUSTOM_EXTENSION auth type.

Access Rights

Restrict rebasing of a change in the web UI to the change owner and
the submitter

Restoring a change is similar to uploading a new change. If a branch
gets closed by removing the access rights to upload new changes it
shouldn’t be possible to restore changes for this branch.

Make read access to refs/meta/config by default exclusive to
project owners

When initializing a new site a set of default access rights is
configured on the All-Projects project. These default access rights
include read access on refs/* for Anonymous Users and read access
on refs/meta/config for Project Owners. Since the read access on
refs/meta/config for Project Owners was not exclusive,
Anonymous users were able to access the refs/meta/config branch
which by default should only be accessible by the project owners.

Search

Offer suggestions for the search operators in the search panel

There are many search operators and it’s difficult to remember all of
them. Now the search operators are suggested as the user types the
query.

Support alias self in queries

Writing an expression like "owner:self status:open" will now identify
changes that the caller owns and are still open. This self alias
is valid in contexts where a user is expected as an argument to a
query operator.

Add a command line option to the query SSH command to include submit
records in the output.

This facilitates the querying of information relating to the submit
status from the command line and by API clients, including information
such as whether the change can be submitted as-is, and whether the
submission criteria for each review label has been met.

Access Control

Elaborate on the required format of the ref used for Push Merge Commit
access right entries to avoid user confusion when granting access to
refs/heads/* still doesn’t allow them to push any merge commits.

Error

The change closed error can also occur when trying to submit a
review label with the SSH review command onto a change that has
been closed (submitted and merged, or abandoned) or onto a patchset
that has been replaced by a newer patchset.

Correct documentation of invalid author and invalid committer
errors

The error messages you are not committer ... and you are not
author ... were replaced with invalid author and invalid
committer.

Describe that the prohibited by Gerrit error is returned if pushing
a tag fails because the tagger is somebody else and the Forge
Committer access right is not assigned.

For downloading the commit-msg hook and the gerrit-cherry-pick
script users can either use scp or curl. Specify the output file for
each curl command so that the result is equal to the matching scp
command.

Document that user must be in repository root to install commit-msg
hook

This makes it easier to build for the browser you want to
test on, rather than remembering what its GWT name is.

Disable assertions for KeyCommandSet when running in gwtdebug mode

The assertions in the KeyCommandSet class cause exceptions when a
KeyCommand is registered several times.

Add the run profiles to the favorites menu

Add Intellij IDEA files to ignore list

Move local Maven repository to Google Cloud Storage

Make sure asciidoc uses unix line endings in generated HTML.

Use an explicit asciidoc attribute to make sure the produced HTML will
always contain unix line endings. This will help in producing build
results that are better comparable by size.

Remove timestamp from all org.eclipse.core.resources.prefs files

Eclipse overwrites these files when we import projects using m2e.
Eclipse 3 writes a timestamp at the top of these files making the Git
working tree dirty. Eclipse 4 (Juno) still overwrites these files but
doesn’t write the timestamp. This should help to keep the working tree
clean. However, since the timestamp is currently present in these
files, Eclispe 4 would still make them dirty by overwriting and
effectively removing the timestamp.

This change removes the timestamp from these files. This helps those
using Eclipse 4 and doesn’t make it worse for those still using Eclispe
3.

Add Maven profile to skip build of plugin modules

Building the plugin modules (Plugin API and Plugin Archetype) may
take a significant amount of time (since many jars are downloaded).
During development it is not needed to build the plugin modules. A new
Maven profile was added that skips the build of the plugin modules,
so that developers have a faster turnaround. This profile is called
no-plugins and it’s active by default. To include the plugin modules
into the build activate the all profile:

mvn clean package -P all

The script to make release builds has been adapted to activate the
all profile so that the plugin modules are always built for release
builds.

Mail

Add unified diff to newchange mail template

Add $email.UnifiedDiff as new macro to the NewChange.vm mail
template. This macro is expanded to a unified diff of the patch.

If a unified diff included in an email will exceed the limit configured
by the system administrator, only the affected file paths are listed in
the email instead. This gives interested parties some context on the
size and scope of the change, without killing their inbox.

Catch all exceptions when emailing change update

Allow unique from address generation

Allow the from email address to be a ParameterizedString that handles
the ${userHash} variable. The value of the variable is the md5 hash
of the user name. This allows unique generation of email addresses, so
GMAIL threads names of users in conversations correctly. For example,
the from pattern for gerrit-review defined in the Gerrit configuration
looks like this:

Some email clients hide the signature section of an email
automatically. If there are no reviewers listed on a new change,
such as when a change is pushed over HTTP and a notification is
automatically sent out to any subscribed watchers, the URL was
hidden inside of the signature and not readily available.

Show the URL right away in the body.

Miscellaneous

Back in-memory caches with Guava, disk caches with H2

Instead of using Ehcache for in-memory caches, use Guava. The Guava
cache code has been more completely tested by Google in high load
production environments, and it tends to have fewer bugs. It enables
caches to be built at any time, rather than only at server startup.

By creating a Guava cache as soon as it is declared, rather than
during the LifecycleListener.start() for the CachePool, we can promise
any downstream consumer of the cache that the cache is ready to
execute requests the moment it is supplied by Guice. This fixes a
startup ordering problem in the GroupCache and the ProjectCache, where
code wants to use one of these caches during startup to resolve a
group or project by name.

Tracking the Guava backend caches with a DynamicMap makes it possible
for plugins to define their own in-memory caches using CacheModule’s
cache() function to declare the cache. It allows the core server to
make the cache available to administrators over SSH with the gerrit
show-caches and gerrit flush-caches commands.

Persistent caches store in a private H2 database per cache, with a
simple one-table schema that stores each entry in a table row as a
pair of serialized objects (key and value). Database reads are gated
by a BloomFilter, to reduce the number of calls made to H2 during
cache misses. In theory less than 3% of cache misses will reach H2 and
find nothing. Stores happen on a background thread quickly after the
put is made to the cache, reducing the risk that a diff or web_session
record is lost during an ungraceful shutdown.

Cache databases are capped around 128M worth of stored data by running
a prune cycle each day at 1 AM local server time. Records are removed
from the database by ordering on the last access time, where last
accessed is the last time the record was moved from disk to memory.

Add OpenID SSO support.

Setting OPENID_SSO for
auth.type in the
gerrit.config will allow the admin to specify an SSO entry point URL
so that users clicking on "Sign In" are sent directly to that URL.

Git over HTTP BasicAuth against Gerrit basic auth.

Allows the configuration of native Gerrit username/password
authentication scheme used for Git over HTTP BasicAuth, as alternative
of the default DigestAuth scheme against the random generated password
on Gerrit DB.

With this configuration Git over HTTP protocol will be authenticated
using HTTP-BasicAuth and credentials checked on LDAP.

Abstract group systems into GroupBackend interface

Group backends are supposed to use unique prefixes to isolate the
namespaces. E.g. the group backend for LDAP is using ldap/ as prefix
for the group names.

This means that to refer to an LDAP group in the WebUI the group name
needs to be prefixed with the ldap/ string. E.g. if there is a group
in LDAP which is called "Developers", Gerrit will suggest this group
when the user types ldap/De.

Warning

External groups are not anymore allowed to be members of
internal groups.

Migrate existing internal LDAP groups

Previously, LDAP groups were mirrored in the AccountGroup table and
given an Id and UUID the same as internal groups. Update these groups
to be backed by only a GroupReference, with a special "ldap:" UUID
prefix. Migrate all existing references to the UUID in ownerGroupUUID
and any project.config.

For patch sets on the ChangeScreen different commands for downloading
the patch sets are offered. For some installations not all commands are
needed. Allow Gerrit administrators to configure which download
commands should be offered.

The notify section allows project owners to include emails to users
directly from project.config. This removes the need to create fake
user accounts to always BCC a group mailing list.

Include the contributor agreements in the project.config and
migrate contributor agreements to All-Projects

Update the parsing of project.config to support the contributor
agreements.

Add a new schema to move the ContributorAgreement, AccountAgreement,
and AccountGroupAgreement information into the All-Projectsproject.config.

Add sameGroupVisibility to All-Projectsproject.config

The sameGroupVisiblity is needed to restrict the visibility of
accounts when accountVisibility is SAME_GROUP. Namely, this is a
way to make sure the autoVerify group in a contributor-agreements
section is never suggested.

Add change topic in hook arguments

It was not possible for hook scripts to include topic-specific
behavior because the topic name was not included in the arguments.

Add --is-draft argument on patchset-created hook

The --is-draft argument will be passed with either true if
the patchset is a draft, or false otherwise.

This can be used by hooks that need to behave differently if the
change is a draft.

Log sign in failures on info level

If for a user signing in into the Gerrit web UI fails, this can have
many reasons, e.g. username is wrong, password is wrong, user is marked
as inactive, user is locked in the user backend etc. In all cases the
user just gets a generic error message Incorrect username or
password.. Gerrit administrators had trouble to find the exact reason
for the sign in problem because the corresponding AccountException was
not logged.

Do not log Object too large as error with full stacktrace

If a user pushes an object which is larger than the configured
receive.maxObjectSizeLimit parameter, the push is rejected with an
Object too large error. In addition an error log entry with the full
stacktrace was written into the error log.

This is not really a server error, but just a user doing something that
is not allowed, and thus it should not be logged as error. For a Gerrit
administrator it might still be interesting how often the limit is hit.
This is why it makes sense to still log this on info level.

For the user pushing a too large object we now do not print the
fatal: Unpack error, check server log message anymore, but only the
Object too large error message.

Add better explanations to rejection messages

Provide information to the user why a certain push was rejected.

Automatic schema upgrade on Gerrit startup

In case when Gerrit administrator(s) don’t have a direct access to the
file system where the review site is located it gets difficult to
perform a schema upgrade (run the init program). For such cases it is
convenient if Gerrit performs schema upgrade automatically on its
startup.

Since this is a potentially dangerous operation, by default it will not
be performed. The configuration parameter
site.upgradeSchemaOnStartup is used to switch on automatic schema
upgrade.

Shorten column names that are longer than 30 characters

Some databases can’t deal with column names that are longer than 30
characters. Examples are MaxDB and
Oracle.

Gerrit had two column names in the accounts table that exceeded the
30 characters: displayPatchSetsInReverseOrder,
displayPersonNameInReviewCategory

These 2 columns were renamed so that their names fit within the 30
character range.

Increase the maximum length for tracking ID’s to 32 characters

So far tracking ID’s had a maximum length of only 20 characters.

Set GERRIT_SITE in Gerrit hooks as environment variable

Allows development of hooks parameterized on Gerrit location. This can
be useful to allow hooks to load the Gerrit configuration when needed
(from $GERRIT_SITE) or even store their additional config files under
$GERRIT_SITE/etc and retrieve them at startup.

Excessive garbage collection on "dormant" repos is wasteful of both CPU
and disk IO. Large packfile churn can lead to heavy RAM and FS usage
on Gerrit servers when the Gerrit process continues to hold open the
old delete packfiles. This situation is most detrimental when jgit is
configured with large caching parameters. Aside from these downsides,
running git gc often can be very beneficial to performance on servers.
This script attempts to implement a git gc policy which avoids the
downsides mentioned above so that git gc can be comfortably run very
regularly.

git-exproll.sh uses keep files to manage which files will get
repacked. It also uses timestamps on the repos to detect dormant repos
to avoid repacking them at all. The primary packfile objective is to
keep around a series of packfiles with sizes spaced out exponentially
from each other, and to roll smaller packfiles into larger ones once
the smaller ones have grown. This strategy attempts to balance disk
space usage with avoiding rewriting large packfiles most of the time.

The exponential packing objective above does not save a large amount of
time or CPU, but it does prevent the packfile churn. Depending on repo
usage, however the dormant repo detection and avoidance can result in a
very large time savings.

Automatically flush persistent H2 cache if the existing cache entries
are incompatible with the cache entry class and thus can’t be
deserialized

Unpack JARs for running servers in $site_path/tmp

Instead of unpacking a running server into ~/.gerritcodereview/tmp
only use that location for commands like init where there is no active
site. From gerrit.sh always use $site_path/tmp for the JARs to
isolate servers that run on the same host under the same UNIX user
account.

Allow for the CUSTOM_EXTENSIONauth.type to configure URLs for
editing the user name and obtaining an HTTP password

Allow CUSTOM_EXTENSION auth type to supply by auth.editFullNameUrl
a URL in the web UI that links users to the other account system,
where they can edit their name, and then use another reload URL to
cycle through the /login/ step and refresh the data cached by Gerrit.

Allow CUSTOM_EXTENSION auth type to supply by auth.httpPasswordUrl
a URL in the web UI that allows users to obtain an HTTP password.

Like the rest of the CUSTOM_EXTENSION stuff, this is hack that will
eventually go away when there is proper support for authentication
plugins.

Performance

Fix performance issues on showing the list of groups in the Gerrit
WebUI

Loading Admin > Groups on large servers was very slow. The entire
group membership database was downloaded to the browser when showing
just the list of groups.

Now the amount of data that needs to be downloaded to the browser is
reduced by using the more lightweight AccountGroup type instead of
the GroupDetail type when showing the groups in a list format. As a
consequence the Owners column that showed the name of the owner group
had been dropped.

Add LDAP-cache to minimize number of queries when unnesting groups

A new cache named "ldap_groups_byinclude" is introduced to help lessen
the number of queries needed to resolve nested LDAP-groups.

Add index for accessing change messages by patch set

This improves the performance of loading the dashboards.

Add a fast path to avoid checking every commit on push

If a user can forge author, committer and gerrit server identity, and
can upload merges, don’t bother checking the commit history of what is
being uploaded. This can save time on servers that are trying to accept
a large project import using the push permission.

Improve performance of ReceiveCommits by reducing RevWalk load

JGit RevWalk does not perform well when a large number of objects are
added to the start set by markStart or markUninteresting. Avoid
putting existing refs/changes/ or refs/tags/ into the RevWalk and
instead use only the refs/heads namespace and the name of the branch
used in the refs/for/ push line.

Catch existing changes by looking for their exact commit SHA-1, rather
than complete ancestry. This should have roughly the same outcome for
anyone pushing a new commit on top of an existing open change, but
with lower computational cost at the server.

Lookup changes in parallel during ReceiveCommits

If the database has high query latency, the loop that locates existing
changes on the destination branch given Change-Id can be slow. Start
all of the queries as commits are discovered, but don’t block on
results until all queries were started.

If the database can build the ResultSet in the background, this may
hide some of the query latency by allowing the queries to overlap when
more than one lookup must be performed for a push.

Perform change update on multiple threads

When multiple changes need to be created or updated for a single push
operation they are now inserted into the database by parallel threads,
up to the maximum allowed thread count. The current thread is used
when the thread pool is already fully in use, falling back to the
prior behavior where each concurrent push operation can do its own
concurrent database update. The thread pool exists to reduce latency
so long as there are sufficient threads available.

This helps push times on databases that are high latency, such as
database servers that are running on a different machine from the
Gerrit server itself, e.g. gerrit.googlesource.com.

The new thread pool is
disabled by default, limiting the overhead to servers that have good
latency with their database, such as using in-process H2 database, or
a MySQL or PostgreSQL on the same host.

Use BatchRefUpdate to execute reference changes

Some storage backends for JGit are able to update multiple references
in a single pass efficiently. Take advantage of this by pushing
any normal reference updates (such as direct push or branch create)
into a single BatchRefUpdate object.

Assume labels are correct in ListChanges

To reduce end-user latency when displaying changes in a search result
or user dashboard, assume the labels are accurate in the database at
display time and don’t recompute the access privileges of a reviewer.

Notify the cache that the git_tags was modified

The tag cache was updated in-place, which prevented the H2 based
storage from writing out the updated tag information. This meant
servers almost never had the right data stored on disk and had to
recompute it at startup.

Anytime the value is now modified in place, put it back into the
cache so it can be saved for use on the next startup.

Special case hiding refs/meta/config from Git clients

VisibleRefFilter requires a lot of server CPU to accurately provide
the correct listing to clients when they cannot read refs/*.

Since the default configuration is now to
hide refs/meta/config, use a special case in VisibleRefFilter that
permits showing every reference except refs/meta/config if a user can
read every other reference in the repository.

By using the new /changes/
REST endpoint the web UI client now obtains the label information
during the query and avoids a second round trip to lookup the current
approvals for each displayed change. For most users this should improve
the way the page renders. The verified and code review columns will be
populated before the table is made visible, preventing the layout from
"jumping" the way the old UI did when the 2nd RPC finally finished and
supplied the label data.

Load patch set approvals in parallel

ResultSet is a future-like interface, the database system is free to
execute each result set asynchronously in the background if it
supports that. gwtorm’s default SQL backend always runs queries
immediately and then returns a ListResultSet, so for most installs this
has no real impact in ordering.

For the system that runs gerrit-review, each query has a high cost in
network latency, the system treats ResultSet as a future promise to
supply the matching rows. Getting all of the necessary ResultSets up
front allows the database to send all requests to the backend as early
as possible, allowing the network latency to overlap.

Upgrades

Update Gson to 2.1

Update GWT to 2.4.0

Update JGit to 2.0.0.201206130900-r.23-gb3dbf19

Use gwtexpui 1.2.6

Hide superfluous status text from clippy flash widget

Fix disappearance of text in CopyableLabel when clicking on it

Update Guava to 12.0.1

This fixes a performance problem with LoadingCache where the cache’s
inner table did not dynamically resize to handle a larger number
of cached items, causing O(N) lookup performance for most objects.

Bug Fixes

Security

Ensure that only administrators can change the global capabilities

Only Gerrit server administrators (members of the groups that have
the administrateServer capability) should be able to edit the
global capabilities because being able to edit the global capabilities
means being able to assign the administrateServer capability.

Because of this on the All-Projects project it is disallowed to assign

the owner access rights on refs/*

Project owners (members of groups to which the owner access right
is assigned) are able to edit the access control list of the projects
they own. Hence being owner of the All-Projects project would allow
to edit the global capabilities and assign the administrateServer
capability without being Gerrit administrator.

In earlier Gerrit versions (2.1.x) it was already implemented like
this but the corresponding checks got lost.

the push access right on refs/meta/config

Being able to push configuration changes to the All-Projects project
allows to edit the global capabilities and hence a user with this
access right could assign the administrateServer capability without
being Gerrit administrator.

From the Gerrit WebUI (ProjectAccessScreen) it is not possible anymore
to assign on the All-Projects project the owner access right on
refs/* and the push access right on refs/meta/config.

In addition it is ensured that an owner access right that is assigned
for refs/* on the All-Projects project has no effect and that only
Gerrit administrators with the push access right can push
configuration changes to the All-Projects project.

It is still possible to assign both access rights (owner on refs/*
and push on refs/meta/config) on the All-Projects project by directly
editing its project.config file and pushing to refs/meta/config.
To fix this it would be needed to reject assigning these access rights
on the All-Projects project as invalid configuration, however doing this
would mean to break existing configurations of the All-Projects project
that assign these access rights. At the moment there is no migration
framework in place that would allow to migrate project.config files.
Hence this check is currently not done and these access rights in this
case have simply no effect.

Web

Do not show "Session cookie not available" on sign in

When LDAP is used for authentication, clicking on the Sign In link
opens a user/password dialog. In this dialog the "Session cookie not
available." message was always shown as warning. This warning was
pretty useless since the user was about to sign in because he had no
current session.

Reject restoring a change if its destination branch does not exist
anymore

Reject submitting a change if its destination branch does not exist
anymore

If a branch got deleted and there was an open change for this branch,
it was still possible to submit this open change. As result the
destination branch was implicitly recreated, even if the user
submitting the change had no privileges to create branches.

When changing the diff base in the Old Version History on the change
screen and then entering the Side-By-Side view for a file, clicking on
the back button in the browser (reentering the change screen) was
causing the files to be wrongly compared with Base again.

Don’t NPE if current patch set is not available

Broken changes may have the current patch set field incorrectly
specified, causing currentPatchSet to be unable to locate the
correct data and return it. When this happens don’t NPE, just
claim the change is not reviewed.

issue 1555:
Fix displaying of file diff if draft patch has been deleted

Displaying any file diff for a patch set failed if the change had any
gaps in its patch set history. Patch sets can be missing, if they
have been drafts and were deleted.

An ArrayIndexOutOfBoundsException could occur when navigating from
one patch to the next/previous patch if the next/previous patch was a
newly added binary file. The exception occurred if the user was not
signed in or if the user was signed in and had Syntax Coloring in the
preferences enabled.

issue 816:
Fix wrong file indention in Side-by-Sie diff viewer on right side

Only set reviewed attribute on open changes

If a change is merged or abandoned, do not consider the reviewed
property for the calling user, so that the change is not highlighted
as unreviewed on the user’s dashboard.

Change PatchTable pointer when loading patch

This patch fixes an issue with the "file list" table displayed by
clicking on the "Files" sub-menu when viewing a diff.

Originally when navigating between patch screens the highlighted row
(pointer) of the file list table would not change when not directly
interacting with the table e.g. by clicking on the previous or next
file link.

This patch updates the file list table whenever a new patch screen is loaded
so that the pointer corresponds to the current patch being displayed.

Don’t hyperlink non-internal groups

When an external group (such as LDAP) is used in a permission rule,
don’t attempt to link to the group in the internal account system UI.
The group won’t load successfully. Instead just display the name and
put the UUID into a tooltip to show the full DN.

Fix: Popup jumps back to original position when resizing screen

On Watched Projects screen, the Browse button displays a popup
window. If the user moves it and then resizes the screen, it won’t snap
back to the original position.

If the search returned no results, the search button would not be
enabled and the status panel was not shown. Fixed the panel and button
to always be enabled.

Fix NullPointerException on /p/

Requesting just /p/ caused a NullPointerException as the redirection
logic had no project name to form a URL from. Detect requests for /p/
and redirect to Admin > Projects to show the projects the caller
has access to.

According to RFC 2847 section 5.2, SMTP server won’t send the banner
message again after STARTTLS negotiation. The original code will hang
until SMTP server kicks it off due to timeout and can’t send email with
STARTTLS enabled, aka. sendemail.smtpEncryption = tls.

Extract all mail templates during site init

The example mail templates RebasedPatchSet.vm, Restored.vm and
Reverted.vm were not extracted during the initialization of a new
site.

SSH

Fix reject message if bypassing code review is not allowed

If a user is not allowed to bypass code review, but tries to push a
commit directly, Gerrit rejected this push with the error message
"can not update the reference as a fast forward". This message was
confusing to the user since the push only failed due to missing
access rights. Go back to the old message that says "prohibited
by Gerrit".

Fix reject message if pushing tag is rejected because tagger is
somebody else

Pushing a tag that has somebody else as tagger requires the Forge
Committer access right. If this access right was missing Gerrit
was rejecting the push with "can not create new references". This error
message was misleading because the user may have thought that the
Create Reference access right was missing which was actually assigned.

The same reject message was also returned on push of an annotated tag
if the Push Annotated Tag access right was missing. Also in this case
the error message was not ideal.

Go back to the old more generic message which says prohibited by
Gerrit.

When a change is uploaded as a draft, a patchset-created event is
sent to the event stream, but since drafts are private to the owner,
the event is not publicly visible. When the draft is later published,
no publicly visible event was sent. As result of this external tools
that rely on the event stream to detect new changes didn’t receive
events for any changes that were first uploaded as draft.

There is now a new event, draft-published, which is sent to the
event stream when a draft change is published. The content of this
event is the same as patchset-created.

Fix: Wrong ps/rev in change-merged stream-event

When using cherry-pick as merge strategy, the wrong ref was set in the
change-merged stream-event.

The issue stems from Gerrit would not acknowledge the resulting new
pachset (the actual cherry-pick).

Fix NullPointerException in query SSH command

Running the query SSH command with the options --comments and
--format=JSON failed with a NullPointerException if a change had a
message without author. Change messages have no author if they were
created by Gerrit. For such messages now the Gerrit Server identity is
returned as author.

Fix the export-review-notes command’s Guice bindings

The export-review-notes command was broken because of the CachePool
class being bound twice. The startup of the command failed because of
that.

Fix sorting of SSH help text

Commands were displaying in random order, sort commands before output.

replicate command: Do not log errors for wrong user input

If the user provided an invalid combination of command options or an
non existing project name this was logged in the error.log but
printing the error out to the user is sufficient.

Authentication

Fix NPE in LdapRealm caused by non-LDAP users

Servers that are connected to LDAP but have non-LDAP user accounts
created by gerrit create-account (e.g. batch role accounts for
build systems) were crashing with a NullPointerException when the
LdapRealm tried to discover which LDAP groups the non-LDAP user
was a member of in the directory.

Fix domain field of HTTP digest authentication

Per RFC 2617 the domain field is optional. If it is not present,
the digest token is valid on any URL on the server. When set it
must be a path prefix describing the URLs that the password would
be valid against.

When a canonical URL is known, supply that as the only domain that
is valid. When the URL is missing (e.g. because the provider is
still broken) rely on the context path of the application instead.

Replication

Fix inconsistent behavior when replicating refs/meta/config

In replication.config, if authGroup is set to be used together with
mirror = true, refs blocked through the authGroup are deleted from
the slave/mirror. The same correctly applies if the authGroup is used
to block refs/meta/config.

However, if replicatePermission was set to false, Gerrit was
refusing to clean up refs/meta/config on the slave/mirror.

Fix bug with member assignment order in PushReplication.

The groupCache was being used before it was set in the class. Fix the
ordering of the assignment.

Approval Categories

Make NoBlock and NoOp approval category functions work

The approval category functions NoBlock and NoOp have not worked
since the integration of Prolog.

MAY was introduced as a new submit record status to complement OK,
REJECT, NEED, and IMPOSSIBLE. This allows the expression of
approval categories (labels) that are optional, i.e. could either be
set or unset without ever influencing whether the change could be
submitted. Previously there was no way to express this property in
the submit record.

This enables the NoBlock and NoOp approval category functions to
work as they now emit may() terms from the Prolog rules. Previously
they returned ok() terms lacking a nested user term, leading to
exceptions in code that expected a user context if the label was OK.

Fix category block status without negative score

Categories without blocking or approval scores will result in the
blocking/approved image appearing in the category column after changes
are merged should the score by the reviewer match the minimum or
maximum value respectively.

A check to ignore "No Score" values of 0 was added.

Don’t remove dashes from approval category name

If an approval category name contained a dash, it was removed by
Gerrit. On the other side a space in an approval category name is
converted to a dash. This was confusing for writing Prolog submit
rules. If, for example, one defined a new category named X-Y, then in
the Prolog code the proper name for that category would have been XY
which was unintuitive.

Fix NPE in PRED__load_commit_labels_1

If a change query uses reviewer information and loads the approvals
map, but there are no approvals for a given patch set available, the
collection came out null, which cannot be iterated. Make it always be
an empty list.

Other

If a new project is created in Gerrit the replication creates the
repository for this new project directly in the filesystem of the slave
server. The slave server was not discovering this new repository and as
result any attempt to clone the corresponding project from the slave
server failed.

issue 1548:
Create a ref for the patch set that is created when a change is
cherry-picked and trigger the replication for it:

If Cherry Pick is chosen as submit type, on submit a new commit is
created by the cherry-pick. For this commit a new patch set is created
which is added to the change. Using any of the download commands to
fetch this new patch set failed with Couldn’t find remote ref because
no ref for the new patch set was created.

issue 1626:
Fix NullPointerException on cherry-pick if changeMerge.test is enabled

Pushing a commit directly into the central repository with bypassing
code review wrongly resulted in a "change … closed" message if the
commit was already pushed for review and if a Change-Id was included in
the commit message. Despite of the error message the push succeeded and
the corresponding change got closed. Now the message is not printed
anymore.

Fix NPE that can hide guice CreationException on site init

Note that the --show-stack-trace option is needed to print the stack
trace when a program stops with a Die exception.

Do not automatically add author/committer as reviewer to drafts

Do not automatically add reviewers from footer lines to drafts

Fix NullPointerException in MergeOp

The body of the commit object may have been discarded earlier to
save memory, so ensure it exists before asking for the author.

The commit_delta predicate was matching the entire file name against
the given regular expression while other predicates (commit_edits,
commit_message_matches) performed substring matching. It was
inconsistent that for commit_delta it was needed to write something
like:

commit_delta('.*\.java')

to match all *.java files, while for commit_edits it was:

commit_edits('\.java$', '...')

to match the same set of (Java) files.

Create index for submodule subscriptions on site upgrade

Fix URL to Jetty XML DTDs so they can be properly validated

Fix resource leak when changeMerge.test is true

Fix possible synchronization issue in TaskThunk

Fix possible NPEs in ReplaceRequest.cmd usage in ReceiveCommits

The cmd field is populated by validate(boolean). If this method
fails, results on some ReplaceRequests may not be set. Guard the
attempt to access the field with a null check.

Match no labels if current patch set is not available

If the current patch set cannot be loaded from ChangeData, assume no
label information. This works around an NullPointerException inside of
ChangeControl where the PatchSet is otherwise required.

Create new patch set references before database records

Ensure the commit used by a new change or replacement patch set
always exists in the Git repository by writing the reference first
as part of the overall BatchRefUpdate, then inserting the database
records if all of the references stored successfully.

Fix rebase patch set and revert change to update Git first

Update the Git reference before writing to the database. This way the
repository cannot be corrupted if the server goes down between the two
actions.

Make sure we use only one type of NoteMerger for review notes creation

Fix generation of owner group in GroupDetail

Set the GroupDetail.ownerGroup to the AccountGroup.ownerGroupUUID
instead of the groupUUID.